Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

US President Barack Obama announced last year that America’s digital infrastructure is a “strategic national asset,” and set up a new Cyber Command headed by the director of the National Security Agency, signaling the importance of cyberpower in a nation’s internal and foreign policy. “Cyberpower and National Security” is one of the most comprehensive and scholarly books available on the topic of cyberpower.

The book is divided into six broad sections. The first three chapters form the foundation section that aims to identify and discuss major policy issues and formulate a preliminary theory of cyberpower. Chapter 1 looks at the key policy issues, categorizing them into structural and geopolitical. Chapter 2 establishes a common vocabulary for the cyber domain, with definitions for key concepts of cyberspace, cyberpower, and cyber strategy. Chapter 3 presents the initial theory of cyberpower.

Chapters 4 to 9 form the second section, “Cyberspace.” Chapter 4 looks at structural elements that constitute cyberspace, while chapter 5 identifies vulnerabilities affecting the critical national infrastructure of the US, including power grids, communication systems, and cyberspace infrastructure. In chapter 6, the authors look at trends in cyberspace: proliferation of broadband, the move to Internet protocol, version 6 (IPv6), increasing software complexity, the rise of online communities, and so on. Chapter 7 looks at the information security issues affecting the Internet, both on a small and large scale. Chapter 8 raises several policy issues that the authors think are relevant to the future of cyberspace, including security, identity, and location-aware computing, while chapter 9 explores the biotech revolution and the blurring of lines between humans and technology.

Section 3, “Military Use and Deterrence,” consists of four chapters. Chapter 10 looks at environmental power theories, compares them to cyberpower, and comes up with common features. Chapter 11 considers the question of whether networking operators do indeed improve operational effectiveness. Chapter 12 provides an overview of the cyberspace and cyberpower initiatives undertaken by the military, and chapter 13 looks at the contentious issue of the deterrence of cyber attacks.

The chapters in section 4, “Information,” look at the power of information and its role in the military and government. Chapter 14 examines the strategic influence of cyberspace information on international security. Chapter 15 explores the challenges associated with influence operations at the tactical level, while chapter 16 looks at the related issue of how information and communication technology and strategy can influence stability operations. This topic is further pursued in chapter 17, which analyzes various policy and institutional activities.

Section 5, composed of three chapters, looks at the way cyberpower can empower nations, terrorists, and criminals. Chapter 18 considers the way crime has advanced in cyberspace, especially the use of cyberspace by organized crime to further their agenda. Chapter 19 tries to scope the term “cyber terrorism,” and considers the debated question of whether it exists or is just a myth. Chapter 20 looks at the use of cyberspace by China and Russia.

In the last section, chapter 21 looks at the complex and sensitive issue of Internet governance and how the US can achieve “Internet influence” in the face of pressure from other nations. Chapter 22 discusses legal issues associated with cyber warfare, particularly two classes of problems: lawful resort to force and use of force in wartime. Chapter 23 provides a critical assessment of the US federal efforts to protect critical infrastructure. The last chapter pushes for setting up a Cyber Policy Council to provide a structured solution to some of the vexing problems in the area.

Compared to other books on the topic [1,2], this book is very detailed and theoretical in its coverage. Given its comprehensive coverage, it should be read and digested by those who have more than a passing interest in cyberpower and cyber strategies but with a liking for a more scholarly treatment of the problem space.

1)

Carr, J. Inside cyber warfare. O’Reilly, Sebastopol, CA, 2009.

2)

Clarke, R.A.; Knake, R. Cyber war: the next threat to national security and what to do about it. Ecco, New York, NY, 2010.

“The dawn of offensive cyber-warfare” has brought with it highly sophisticated target selection that goes beyond attacking virtual assets like websites and banking front-ends. The latest in the line is the Stuxnet epidemic that targeted a specific electronic chip apparently used in Iranian nuclear reactors. One expert even attributed a malfunction in INSAT-4B to Stuxnet because it used the same electronic chip.

In the current cyber defense climate, traditional military or political approaches to deter attacks are ineffective because of the problem of attribution, i.e. identifying the attacker. The anonymity afforded by the internet administrative regime not only works to the advantage of much needed individual freedoms but also provides a veil behind which attackers hide. With the potential for taking down banks, power grids, stock exchanges and medical systems, cyber attacks can now have devastating effect on lives and economies.

Attempts to attribute cyber attacks normally focus exclusively on cyber world. This, however, is a sure-shot path to attribution hell. Just like the victims have to deal with the physical-world aspects of an attack, the attackers too are limited by it. The interconnections between the virtual and the physical world is an observation on which an early warning system can be built. Consider therecentreports of Chinese internet hijack. It was observed that internet traffic that should not have been flowing into computers in China actually was being diverted there. Based on who you ask, the amount of traffic diverted into a particular Chinese ISP ranged from 1% to 15% of all the traffic on the internet. The diversion used a weakness in the way traffic over the internet is routed from the source to destination. Regardless of whether it was actually a hijack, a configuration mistake or a trial run, the fact remains that this weakness in internet is a powerful tool in the hands of state and non-state actors for snooping on confidential data. Such an exercise would require massive resources in terms of processing power, data storage, power and cooling and trained manpower. It would require months of preparation in order to get the server farms operating at maximum performance and for developing tools for analysing the huge amount of data captured. Each one of the variables above would require an administrative backend in order to enable the setting up of such server farms. It would need the appropriate human resources to run the farms, leading to the need for recruitment and training. It would need equipment which would have to be manufactured or procured. Manufacturing in turn will need raw materials which could come from almost anywhere in the world today. On the one hand, the large number of variables can make it a difficult exercise when it comes to tracking supplies of such equipment and raw materials. On the other hand, it increases the number of interactions that need to take place with the physical world in order to undertake a cyber operation of that scale. An argument can be made that the larger number of sources of raw materials makes observation harder but businesses are already using advanced data analytics to mine similar information in order to gain a competitive edge. Spikes in power consumption, sales of microchips, storage media and specialised cooling equipment are just some of the other obvious signs that such a project is being undertaken. And surely enough, these are exactly the kind of things that traditional intelligence gathering and analysis excels at. Remember how the unusual supply movement in the areas opposite Kargil were interpreted correctly by some as a sign of enhanced operational readiness of Pakistan Army?

In the case of China, with its massive manufacturing base, it could be argued that the equipment could be sourced internally. However, there are so many raw materials that go into setting up an operation of this scale that a persistent supply chain expert should be able to identify relevant flows for use in cyber early warning or cyber forensics.

Measures taken by states make it tougher to see through the mask of purchases for cyber operations. As the USCC report points out, in China, a large onus for censorship is offloaded to private enterprises, with Baidu as an example of how US capital and US board-members run a company that engages in such censorship. Of course, the work-around would be to analyse regulations in China, again pointed out by the USCC report, that “provide unfair advantage to homegrown technology companies” and watch those companies that benefit from them. Such tasks are well within the duties and expertise of agencies that deal with economic intelligence. It is time that such traditional strengths be used in attributing cyber attacks.

An argument could be made that cyber early warning would not be feasible against a silent multi-month effort like that against Indian government and Tibetan computers. True, there are major differences. For one, the alleged reason the Tibetan government officials suspected an espionage angle was because, during negotiations, Chinese officials were already well-prepared with counter-arguments against the Tibetan positions. As the Shadows in the Cloud report alleges, this was because the secret negotiation papers were exfiltrated by malware installed on Tibetan computers. The point to remember is that a cyber early warning system attempts to overcome the attribution problem. It cannot help if a system’s security mechanisms are broken and basic access policies to confidential data are absent or ignored. This is a system and network security problem and cannot be solved within the scope of an attribution system.

Physical-world indicators can help in attribution. A sophisticated early warning or alarm system can even help predict attacks rather than just help in attribution after an attack. Such a system would require aggregation of indicators from other fields like politics and military. Analysis of such indicators is already performed as part of traditional intelligence-gathering and there is no reason why such collection and analysis cannot be extended to track cyberwar operations. Interested readers can find the theoretical framework behind cyber early warning developed by Ned Moran discussed in Jeffrey Carr’s excellent book, Inside Cyber Warfare: Mapping the Cyber Underworld.

The US-China Economics and Security Review Commission has just recently submitted its 2010 report to the US Congress (PDF) and the chapter on “China and the Internet” is a particularly interesting read. It touches on various topics including

Use of Internet as a ‘‘propaganda and ideological work’’ as well as to ‘‘guide public opinion’’

While I hate fear mongering with a vengeance, it would be stupid to ignore the warning signs emanating from China. Information warfare has been absorbed into Chinese military thinking and philosophy and we will be sitting ducks if we do not take evasive, defensive and offensive actions.